2015-08-03 - RIG EK FROM 46.30.46.26

PCAP AND MALWARE:

• ZIP archive of the PCAP:  2015-08-03-Rig-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-03-Rig-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.unitedmedia-llc.com - Compromised website
• 223.130.27.185 port 80 - clubberz.com.au - Redirect/gate
• 46.30.46.26 port 80 - call.conceptualviz.com - Nuclear EK

 

SCREENSHOTS FOR SCRIPT FROM COMPROMISED WEBSITE AND REDIRECT:

 

TRAFFIC:

• 2015-08-03 13:41:00 UTC - www.unitedmedia-llc.com - GET /

• 2015-08-03 13:41:01 UTC - clubberz.com.au - GET /pro___/wp-content/themes/rttheme17/ckv4dlmt.php?id=8149734

• 2015-08-03 13:41:02 UTC - call.conceptualviz.com - GET /?w3eKdbGUKx_MDYU=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbrA

• 2015-08-03 13:41:03 UTC - call.conceptualviz.com - GET /index.php?w3eKdbGUKx_MDYU=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbogAQlryJQ-
  DbpgN6V0ggEkqfPZVlqx7IQnmtayh42P26Rjl-1g

• 2015-08-03 13:41:05 UTC - call.conceptualviz.com - GET /index.php?w3eKdbGUKx_MDYU=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbogAQlryJQ-
  DbpgN6V0ggDE3KPZVlqx7IQnmtayh42P2-SThznuWD&dop=0340

 

SCREEN SHOTS FOR SOME OF THE POST-INFECTION TRAFFIC:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAP:  2015-08-03-Rig-EK-traffic.pcap.zip
• ZIP file of the malware:  2015-08-03-Rig-EK-malware-and-artifacts.zip

All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.